Juniper ScreenOS: DHCPv6 Prefix Delegation

The Juniper ScreenOS firewall is one of the seldom firewalls that implements DHCPv6 Prefix Delegation (DHCPv6-PD). It therefore fits for testing my dual stack ISP connection from Deutsche Telekom, Germany. (Refer to this post for details about this dual stack procedure.)

It was *really* hard to get the correct configuration in place. I was not able to do this by myself at all. Also Google did not help that much. Finally, I opened a case by Juniper to help me finding the configuration error. After four weeks of the opened case, I was told which command was wrong. Now it’s working. ;) Here we go.

Note that I will not explain how DHCPv6 prefix delegation works at all. I will only go into details on how to configure it on a Juniper ScreenOS SSG firewall. My Google results for this case brought me to this and that page. But none of them correctly revealed the working configuration commands.

The basic idea is to receive a /56 IPv6 prefix from the ISP and to hand out /64 subnets/prefixes to the client networks.

Configuration

This picture shows the main parts on how the SSG should be configured:

Monitoring

Interfaces: transfer segment with a /64 via RA, and the two client subnets with delegated prefixes. All interface IDs are set automatically according to EUI-64 addresses.

The prefix to be advertised via RA is set automatically.

Note the different subnet ID (here: 42) inside my two different client interfaces.

The learned /56 prefix from my ISP (Deutsche Telekom).

The complete IPv6 routing table, one more time with the two different subnets.

I tested the two configured subnets with my mobile devices, one in the bgroup1 network, while the other one in the wireless0/2 network. (Called my http://ip.webernetz.net script that shows the IP, refer to here.)

My iPhone that was inside the bgroup1 interface.

And an Android phone on wireless0/2.

And, of course, the SSG can list many details of the learned/delegated prefixes via the CLI: